On Tue, Feb 24, 2015 at 1:39 AM, Francois Lagier francois.lag...@gmail.com
wrote:
Hello everyone,
I am currently trying to tune my HaProxy architecture (65k queries per
seconds, low latency requirement (50ms), with 12 servers using multi-core
(4 cores per server)) and I have a couple of
Thanks, this has all been very helpful.
Unfortunately it seems that some of the pieces to create a debuggable
version of these old clients are currently missing here. If I can get
that together I'll debug and hopefully find something. Until then,
we'll be attempting to route their traffic around
Attached are two captures:
1) ha_lukas-allow-allow.pcap: This is a capture of the bind line you provided:
bind *:443 ssl crt /home/bashby/Lukas/TEST_cert_and_key.pem ciphers \
AES128-SHA verify optional ca-ignore-err all crt-ignore-err all ca-file \
/etc/ssl/certs/cw_client_ca.pem
2)
Hi Cyril,
Thank you for enlightening me.. we'll correct that mistake :)
Cyril Bonté wrote on 02/24/2015 09:20 AM:
Hi Klavs,
Le 24/02/2015 08:56, Klavs Klavsen a écrit :
Hi guys,
A colleague just found an issue last night, where this acl:
acl is_kk-dk hdr_end(host) -i kkdk3.testkkdk.kk.dk
Hello Vincent, Lucas
On 2/24/2015 4:56 PM, Lukas Tribus wrote:
It would be nice to add a note that without proper rotation, PFS is
compromised by the use of TLS tickets. People may not understand why
they need to put 3 keys in this file and may never change them.
Agreed, we have to clarify
Hello Remi,
On 2/24/2015 4:25 PM, Remi Gacogne wrote:
On 02/24/2015 03:17 PM, Nenad Merdanovic wrote:
This patchset adds support to configure TLS ticket keys used for
encryption and decryption of TLS tickets.
Hi Nenad,
I find your patch very interesting and I have some questions about it.
❦ 24 février 2015 15:17 +0100, Nenad Merdanovic nmer...@anine.io :
+tls-ticket-keys keyfile
+ Sets the TLS ticket keys file to load the keys from. The keys need to be 48
+ bytes long, encoded with base64 (ex. openssl rand -base64 48). Number of
keys
+ is specified by the TLS_TICKETS_NO
It would be nice to add a note that without proper rotation, PFS is
compromised by the use of TLS tickets. People may not understand why
they need to put 3 keys in this file and may never change them.
Agreed, we have to clarify that a never changing tls-tickets-keys
file is worse than no file
This patchset adds support to configure TLS ticket keys used for
encryption and decryption of TLS tickets.
Nenad Merdanovic (2):
MEDIUM: Add support for configurable TLS ticket keys
DOC: Document the new tls-ticket-keys bind keyword
doc/configuration.txt | 8 +++
Signed-off-by: Nenad Merdanovic nmer...@anine.io
---
doc/configuration.txt | 8
1 file changed, 8 insertions(+)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index bb7d567..abe592b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8969,6 +8969,14 @@ tfo
Until now, the TLS ticket keys couldn't have been configured and
shared between multiple instances or multiple servers running HAproxy.
The result was that if a request got a TLS ticket from one instance/server
and it hits another one afterwards, it will have to go through the full
SSL handshake
In the documenation it states:
The format should be composed from elements that are guaranteed to be
unique when combined together.
Is there a combination of formatting strings that would guarantee uniqueness?
Would a patch to add a uuid formatter be accepted?
Thanks, Jesse
Hi,
On Tue, Feb 24, 2015 at 01:33:32PM -0700, NuSkooler wrote:
Thanks, this has all been very helpful.
Unfortunately it seems that some of the pieces to create a debuggable
version of these old clients are currently missing here. If I can get
that together I'll debug and hopefully find
Hi Jesse,
On Tue, Feb 24, 2015 at 11:30:13AM -0600, Jesse Hathaway wrote:
In the documenation it states:
The format should be composed from elements that are guaranteed to be
unique when combined together.
Is there a combination of formatting strings that would guarantee uniqueness?
No
Bonjour ,
En tant que membre VIP de Capdecision, vous aurez accès aux offres exclusives
de RUEDESOPPORTUNITÉS.fr.
Nous vous proposons dès aujourd'hui de recevoir des offres sélectionnées par
RUE DES OPPORTUNITÉS. Si vous n'êtes pas satisfait de ce service, vous pourrez
à tout moment vous
Remy van Elst relst@... writes:
Lukas Tribus schreef op 09/01/14 00:08:
Hi,
$ openssl s_client -state -quiet -connect xx.xx.xx.xx:443
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=4
16 matches
Mail list logo
